CVE-2026-23954

Name of the Vulnerable Software and Affected Versions Incus versions 6.21.0 and below IncusOS (affected versions not specified)

Description Incus is a system container and virtual machine manager. A flaw exists where a user capable of launching containers with custom images (e.g., a member of the ‘incus’ group) can leverage directory traversal or symbolic links within the templating functionality to achieve arbitrary file read and write access on the host system. This can ultimately lead to arbitrary command execution on the host. Specifically, when an image utilizes a metadata.yaml file containing templates, the source and target paths are not adequately validated for symbolic links or directory traversal. This allows an attacker to read arbitrary files from the host filesystem and write files to arbitrary locations, potentially overwriting critical system files. Exploitation on IncusOS requires a minor modification to the stage2 process. The vulnerability allows a user to read arbitrary files from the host filesystem and write files to the host filesystem as root.

Recommendations For Incus versions 6.21.0 and below, apply a fix as it becomes available. For IncusOS, apply a fix as it becomes available.